Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: mckinnon () ISIS2000 COM (Bill McKinnon)
Date: Wed, 16 Feb 2000 09:06:47 -0700


On Tue, 15 Feb 2000, Andrew Danforth wrote:

On Mon, 14 Feb 2000, Bill wrote:

   Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
from doing anything harmful, as well?

Not really.  Consider the following snippet:

open PASSWD, '< /etc/passwd';
$var = '&PASSWD'; # also try $var = '&3';
open IN, "< $var";
print while (<IN>);

Perl's open will dup other file descriptors if < is followed by &.  This
isn't as potentially problematic as forking commands, but there may be
circumstances where someone could dup a filehandle and cause your script
to behave strangely/output sensitive information/etc.

Andrew

   Interesting. And for the curious, this doesn't seem to be noticed by
Perl's tainting mechanism, unless I'm misunderstanding something:

$ perl -T - '&PW'
open(PW, "/etc/passwd") or die "open(): $!\n";

$var = shift;

open(FH, "< $var") or die "open(): $!\n";

print <FH>;

(hit CTRL D here)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
...
etc

   Anyway, this is probably getting off topic...

- Bill


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]